Hard, cold IT security truths from SANS at RSA 2011

One of the last sessions of RSA Conference 2011 in San Francisco was one of the best, in which the SANS institute ran through some hard, cold truths.

End-to-end encryption is not a panacea for data breaches, said Ed Skoudis, founder of InGuardians consultancy, author, and lecturer at the SANS institute.

Many so-called end-to-end encryption solutions, it turns out, decrypt data for processing in applications. Attackers know this and so are going after the data while it is in clear text in memory. Virtualisation is no fix either, as the attackers are also able to capture whatever is in virtual memory too.

IPV6 also turns out to be a major point of vulnerability, mainly because most organisations do no realise that it is enabled by default on their systems, and they are consequently not doing anything to monitor for exploits or malware.

Businesses should shut down IPV6 throughout the newtwork until they are more familiar with it, have a real need for it and a plan to roll it out, and have some defences in place, said Johannes Ullrich, head of the SANS Internet Storm Center.

Preparation for IPV6 will take most big corporations about a year, he said, so they should get started and get educated now.

Interestingly, Ullrich’s closing point was that information security professionals within organisations tend to get distracted by the threat of the day, which means they are not necessarily paying enough attention to doing the basics.

He reiterated what many security industry experts have been saying for at least the past year, that many organisations have yet to achieve proper defence in depth. Many are typically not using alternatives to passwords as an authentication method, and those still using passwords only, are typically not changing those passwords regularly.

Ullrich’s parting shot was: “Above all, ensure you know what you have on your network so you will be able to identify what should not be there.”